hadoop-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Doug Cutting <cutt...@apache.org>
Subject Re: additional source only release tarball
Date Thu, 25 Feb 2010 18:42:57 GMT
Patrick Hunt wrote:
> Ah, thanks for clarify that Doug. To take it a bit further, when you say 
> "bug" you really mean "serious breach of Apache process/rules", would 
> that be valid? i.e. it would be something that the responsible Apache 
> team should work to address with highest of priority.

To some degree that depends on the Apache project.  I don't know of a 
project that does not create release tags and that would accept an 
incorrect one lightly.  That said, release tags are not required nor 
authoritative: the thing that counts is the signed artifact.

I'd certainly encourage developers to leverage tags when convenient 
e.g., for automated testing against and comparison with prior releases, 
for IDE source browsing, etc.  But if someone wants to package an 
alternate distribution of an Apache release, I think they're better 
starting from the release artifact than the tag.  The artifact can be 
validated against the signature at http://www.apache.org/dist/, while 
there's currently no good means of validating the contents of a tag.  I 
suppose one could rebuild the tarball from the tag and try to validate 
its checksum against that at http://www.apache.org/dist/, but that seems 
both fragile and less secure.

Doug

Mime
View raw message